Privacy Policy

Version 2026.1.0
Last Updated: May 2026

My Commitment to Your Privacy

At McFarland IT Solutions, your privacy is not a formality. As a managed IT and cybersecurity service provider working with small and mid-sized businesses across the Kawarthas region, I handle information that matters -- to you, to your employees, and to the people your business serves. I take that responsibility seriously.

This Privacy Policy explains what personal information I collect, why I collect it, how it is used and protected, who it may be shared with, and what your rights are. It applies to all information collected through this website and through the direct delivery of IT and cybersecurity services.

McFarland IT Solutions complies with the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, the Personal Health Information Protection Act (PHIPA). This policy reflects both the letter and the intent of those laws.

Accountability and Privacy Officer

McFarland IT Solutions is a sole proprietorship owned and operated by Aaron McFarland. Aaron McFarland is the designated Privacy Officer for McFarland IT Solutions and is personally responsible for ensuring compliance with PIPEDA and this Privacy Policy. All privacy-related inquiries, access requests, correction requests, and compliance challenges should be directed to him using the contact information at the end of this policy.

Scope of This Policy

This policy applies to:

  • Personal information collected through the McFarland IT Solutions website (mcfarlandit.ca)

  • Personal information collected during the sales, onboarding, and service delivery process

  • Personal information belonging to client employees, end users, and other individuals whose data may be processed as part of delivering managed IT, managed cybersecurity, or cloud services

This policy governs both my role as a data controller (where I determine the purposes and means of processing) and my role as a data processor (where I process data on behalf of a client organisation). The distinction is explained further below.

What Information I Collect

Website and Direct Enquiries

When you visit this website or reach out to McFarland IT Solutions directly, I may collect:

  • Your full name

  • Business name

  • Email address

  • Phone number

  • Physical or mailing address

  • The content of any enquiry, support request, or message you submit

  • Any other information you voluntarily provide

I also collect non-identifying technical data such as browser type, device type, IP address, and website usage statistics through Squarespace's built-in analytics. This data is used solely to maintain and improve the performance of this website and is not used to identify individual visitors.

Managed Services and Security Tooling

As part of delivering managed IT and cybersecurity services, I deploy and operate specialised software tools on client devices and systems. These tools collect and process data as a necessary function of the services provided. The categories of data collected through these tools include:

  • Hardware and software inventory from managed endpoints

  • Device performance metrics, health status, and patch compliance data

  • System event logs, security event logs, and process activity

  • Endpoint telemetry including file system activity, network connections, and process behaviour, collected for the purpose of detecting and responding to cybersecurity threats

  • Email metadata, headers, and message content, processed for the purpose of filtering malicious email, enforcing email security policies, and investigating security incidents

  • Remote session data, where remote access is initiated during troubleshooting or service delivery

This data is collected from the devices and accounts of client employees and end users, not only from the individual who signed the service agreement. Clients are responsible for ensuring their employees are made aware that such monitoring and management tools are deployed on their devices as part of the organisation's IT services.

Limiting Collection

I collect only the personal information that is reasonably necessary for the identified purposes described in this policy. Information is not collected indiscriminately or beyond what is required to provide the services you have engaged.

How Your Information Is Used

Personal information collected through this website and through direct engagement is used to:

  • Respond to enquiries and support requests

  • Deliver the IT and cybersecurity services you have contracted

  • Communicate service-related updates, alerts, and notifications

  • Issue invoices and manage the billing relationship

  • Meet legal and regulatory obligations

  • Improve the quality and delivery of services using aggregated, anonymised data

Data collected through managed services tooling is used exclusively for the purpose of delivering those services -- specifically, to monitor device health, detect and respond to security threats, maintain system stability, and troubleshoot issues. This data is not used for any purpose beyond service delivery.

Your personal information is never sold, rented, or traded. It is only shared with third parties as described in this policy or as required by law.

My Role: Data Controller and Data Processor

McFarland IT Solutions operates in two distinct capacities depending on the context.

As a data controller, I determine the purposes and means of processing for information collected through this website and through the client relationship itself -- such as contact details, billing information, and service history. I am fully responsible for this information and how it is handled.

As a data processor, I act on behalf of client organisations when accessing or processing data that belongs to those organisations or their employees -- including endpoint telemetry, email content, and other data flowing through managed services tools deployed under a client's service agreement. In this capacity, I process data according to the instructions of the client organisation, which remains the data controller for its own business and employee information.

Clients who are themselves subject to PIPEDA, PHIPA, or other privacy obligations should ensure their own policies and disclosures account for the managed services relationship and the data processing that occurs as part of it.

Consent

I collect personal information with your knowledge and consent. For most information exchanged in the course of a business-to-business service relationship, implied consent applies -- for example, providing contact details to receive a quote or engage services. Where information is more sensitive, express consent will be sought.

You may withdraw consent at any time, subject to legal and contractual limitations. Withdrawal of consent to data collection that is essential to service delivery may mean that I am unable to continue providing those services. If you wish to withdraw consent, please contact me directly using the information at the end of this policy.

Third-Party Service Providers and Sub-Processors

To deliver IT and cybersecurity services, I engage specialised third-party platforms and tools. These service providers may process personal information on my behalf or on behalf of the clients I serve. I require that all service providers maintain appropriate data protection standards consistent with PIPEDA obligations.

The categories of platforms used in service delivery include:

Remote monitoring and management -- Collects hardware and software inventory, performance data, event logs, and patch status from managed endpoints. Also provides the capability for remote access sessions during troubleshooting and service delivery.

Endpoint detection and response -- Collects endpoint telemetry including process activity, file behaviour, and network connections for the purpose of detecting and responding to cybersecurity threats.

Cloud email security -- Processes inbound and outbound email content, headers, and attachments for the purpose of detecting and filtering malicious or unwanted email.

Endpoint protection -- Collects threat detection and activity data from managed endpoints for the purpose of identifying and remediating malware and other threats.

Endpoint privilege management -- Processes application execution requests and privilege elevation events on managed endpoints to enforce least-privilege security policies.

All platforms in the above categories are operated by third-party providers based in the United States. Additional service providers may be engaged for functions such as secure file transfer, cloud backup, or client communication, and will be disclosed upon request.

Cross-Border Data Transfers

The service providers listed above operate primarily in the United States. When personal information is processed by these platforms, it may be transferred to and stored in the United States. As a result, that information may be subject to the laws of the United States, including laws that permit access by courts, law enforcement agencies, and national security authorities.

I address this risk by engaging only reputable, established service providers with documented security practices and data protection commitments, and where applicable, through contractual terms that require those providers to maintain a comparable level of protection to that required under PIPEDA.

If you have concerns about cross-border data transfer or wish to understand how a specific platform handles your data, please contact me and I will provide further information or direct you to the relevant provider's documentation.

Accuracy

I take reasonable steps to ensure that personal information in my possession is accurate, complete, and up-to-date for the purposes for which it is used. If you believe that information I hold about you or your organisation is inaccurate or incomplete, you may request a correction at any time using the contact information at the end of this policy.

Data Security

I maintain reasonable and appropriate technical and administrative safeguards to protect personal information against loss, theft, unauthorised access, disclosure, copying, use, or modification. These measures include:

  • Encryption of sensitive data in transit and at rest where applicable

  • Multi-factor authentication on administrative accounts and service platforms

  • Role-based access controls limiting access to information on a need-to-know basis

  • Ongoing monitoring of managed environments through the security tools described in this policy

  • Prompt patching and vulnerability management on managed endpoints

  • Secure and verifiable data deletion practices when information is no longer required

No security measure is absolute. In the event of a security incident affecting personal information, I will respond in accordance with the breach notification obligations described below.

Data Retention

Personal information is retained only for as long as is necessary to fulfil the purposes for which it was collected, to comply with legal and regulatory obligations, and to support legitimate business needs such as dispute resolution or service continuity.

Client information is generally retained for the duration of the service relationship and for a reasonable period following its conclusion, consistent with applicable limitation periods under Ontario law.

When data is no longer required, it is securely destroyed using methods appropriate to the sensitivity of the information.

All records of privacy breaches, as described below, are retained for a minimum of 24 months regardless of whether they were reported to the Office of the Privacy Commissioner of Canada, as required by PIPEDA's Breach of Security Safeguards Regulations.

Breach of Security Safeguards

McFarland IT Solutions takes its obligations under PIPEDA's mandatory breach reporting requirements seriously.

In the event of a breach of security safeguards involving personal information under my control or custody -- including information processed through managed services platforms -- I will assess whether the breach creates a real risk of significant harm to any affected individual. Relevant factors in that assessment include the sensitivity of the information involved, the likelihood that the information could be misused, and the nature and scope of the breach.

Where a real risk of significant harm exists, I am obligated to:

  • Report the breach to the Office of the Privacy Commissioner of Canada as soon as feasible

  • Notify affected individuals directly, providing sufficient information for them to understand what occurred and take protective action

  • Notify any other organisation or government institution that may be able to reduce the risk of harm resulting from the breach, where applicable

I maintain records of all breaches of security safeguards for a minimum of 24 months, regardless of whether they meet the reporting threshold, in sufficient detail to allow the OPC to verify compliance.

If you are a client and you believe a security incident may have occurred affecting data I hold or manage on your behalf, please contact me immediately.

Marketing Communications

Marketing communications -- including service announcements, updates, or any promotional material -- are sent only to individuals who have provided express consent in accordance with Canada's Anti-Spam Legislation (CASL). You may withdraw consent and unsubscribe at any time by using the unsubscribe link in any such communication or by contacting me directly. Withdrawal of marketing consent has no effect on service-related communications, which I will continue to send as required to deliver the services you have engaged.

Your Rights Under PIPEDA

In accordance with PIPEDA, you have the right to:

  • Request access to any personal information I hold about you, provided at no charge

  • Request correction of inaccurate or incomplete information

  • Withdraw consent to the collection or use of your information, subject to legal and contractual limitations

  • Request deletion of your information, subject to legal retention obligations and legitimate service-related requirements

  • Be informed of any third parties to whom your information has been disclosed

To exercise any of these rights, please contact Aaron McFarland using the information below. I will respond to all requests within 30 days of receipt. If additional time is required, I will notify you within that initial 30-day period and explain the reason for the delay.

If you are not satisfied with my response to a privacy request or complaint, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada. The OPC can be reached at www.priv.gc.ca or by calling 1-800-282-1376.

Healthcare and Regulated Industry Clients

Where McFarland IT Solutions provides services to clients operating in regulated industries -- including healthcare, dental, financial services, or legal services -- additional privacy safeguards apply.

For clients subject to the Personal Health Information Protection Act (PHIPA) in Ontario, personal health information encountered in the course of service delivery is treated with the heightened protections required under that legislation. Clients in regulated industries are responsible for ensuring that their engagement of McFarland IT Solutions as a service provider is consistent with their own compliance obligations, and I am happy to support that process with appropriate documentation or agreements.

Data Recovery and Repair Services

Where McFarland IT Solutions performs break/fix or data recovery work on a device:

  • Temporary backups may be created for the purpose of protecting data during the service and will be securely deleted once the work is complete and confirmed

  • Client files will not be accessed or reviewed beyond what is necessary to complete the service

  • All data encountered during repair work is treated with strict confidentiality

If a device is serviced without a backup in place and data loss occurs, McFarland IT Solutions is not responsible for that loss. Clients are strongly encouraged to maintain regular backups. If you need assistance setting up a reliable backup solution, I am glad to help.

Note that this section applies specifically to one-time repair and recovery work. Ongoing managed services involve continuous and intentional monitoring of device data as described earlier in this policy, which is a core and intended function of those services.

Website Cookies and Tracking

This website is hosted on Squarespace, which uses cookies and similar tracking technologies to support site functionality, remember user preferences, and collect usage analytics. Cookies are small data files stored on your device.

By using this website, you consent to the use of cookies consistent with Squarespace's platform practices. You can manage or disable cookies through your browser settings, though doing so may affect the functionality of certain parts of this website. For more information on how Squarespace handles data, you may review Squarespace's privacy policy at squarespace.com.

Non-identifying usage data such as page views, session duration, and general geographic region may be collected to help understand how the website is used and to improve its content and performance.

Third-Party Links

This website may contain links to third-party websites. McFarland IT Solutions does not control, endorse, or accept responsibility for the privacy practices or content of those sites. I encourage you to review the privacy policies of any third-party site you visit.

Policy Updates

This Privacy Policy may be updated from time to time to reflect changes in services, technology, applicable law, or business practices. The version number and date at the top of this policy will be updated with each revision. Where changes are material, I will make reasonable efforts to notify active clients through email or service communications. The current version of this policy is always available at mcfarlandit.ca/privacy-policy.

Contact and Challenging Compliance

For questions, requests, or concerns about this Privacy Policy or McFarland IT Solutions' privacy practices, please contact:

Aaron McFarland Privacy Officer, McFarland IT Solutions Email: help@mcfarlandit.ca Phone: 705-768-8399 Location: Lindsay, Ontario, Canada

If you wish to challenge compliance with this policy or with PIPEDA, you may direct that challenge to Aaron McFarland at the contact information above. If you are not satisfied with the response, you may escalate your concern to the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or 1-800-282-1376.